Job Details

ID #44859232
State New York
City New york city
Job type Permanent
Salary TBD
Source MTA New York City Transit
Showed 2022-08-14
Date 2022-08-13
Deadline 2022-10-12
Category Et cetera
Create resume
Apply Now

Application Security Specialist Level 3 - 5

New York, New york city, 10004 New york city USA
Apply Now

Job Information

Job Title: Application Security Specialist - Levels 3 - 5

Salary Range: Level 3: Min.: $74,597 Mid.: $99,463 Max.: $124,329

Level 4: Min.: $79,023 Mid.: $105,364 Max.: $131,705

Level 5: Min.: $86,653 Mid.: $115,537.50 Max.: $144,422

Points: Level 3: 393

Level 4: 451

Level 5: 551

Dept/Div: MTA IT/Office of IT Cyber Security Services

Supervisor: Director Applications and Infrastructure Endpoint Security

Location: 2 Broadway and other locations as required

Hours of Work: 9:00 AM - 5:30 PM (7.5 hours/day) or as required

Job Information

In order to protect our employees and continue to provide safe and reliable service to our communities, as of November 14, 2021 we are requiring all new MTA hires to be fully vaccinated against COVID-19 prior to their start date. MTA will consider exceptions for religious and medical reasons, where appropriate. "Fully vaccinated" means you must have both doses of a 2-dose vaccine and two weeks have elapsed since the second dose, or have received 1 dose of a 1-dose vaccine and two weeks have elapsed since the dose. Proof of your vaccination status in the form of a CDC vaccine card must be submitted prior to your start date.

Summary

The position will be responsible for: risk assessment (identifying problems), vulnerability assessment ( determining system and application weaknesses) and defense planning (implementing appropriate countermeasures). Responsibilities will include leading risk assessments and participating in cross-functional projects which requires interfacing with other functional contacts at various levels of the organization and with key vendors; analyzing technical and procedural controls for potential findings; assessing the likelihood, severity and potential business impact of findings; working with stakeholders to design, author and commit to risk mitigation actions; and tracking the status of these committed actions. For Level 3, candidate should possess strong knowledge of cloud or on premise-based risk assessment tools to assess application and system vulnerabilities. For Level 4, strong knowledge of industry security standards such as PCI/DSS, NIST, ISO, CSA is required. For Level 5, expert knowledge of Governance, Risk and Compliance systems along with application and system vulnerability tools is a must.

Additionally, this position must keep fully up to date on evolving Federal, FRA, and NYS Cyber Security, PCI industry standards, techniques, and requirements for an ongoing risk/compliance assessment to secure MTA confidential, private intellectual assets from unauthorized access.

The position is required to be "on call" in the 24-hour, 365-day operating environment to ensure the availability and delivery of technology services in support of MTA corporate business goals and objectives.

Responsibilities

Level 3
  • Analyze all the risk-related activities of MTA's IT organization, planning, testing, reporting, and recommending appropriate remediation measures.
  • Assist in Application Security vulnerability analysis of existing and new applications.
  • Recommend corrective actions to fix the application security related problems.
  • Assist with the monitoring of risk mitigation and coordination of policy and controls with the compliance manager, director and the chief information security officer (CISO), to ensure that other managers and IT staff are taking effective remediation steps.
  • Benchmark the risk management practices of other companies - particularly those in transportation and state government to maintain an up-to-date understanding of industry best practices and monitor the legal and regulatory environment for developments that could require changes to MTA's established IT policies and practices.
  • Create, disseminate and (as required) update documentation of MTA's matrix of identified IT risks and controls.
  • Work directly with the business units and other internal departments and organizations to facilitate IT risk analysis and risk management processes, identify acceptable levels of residual risk, and establish roles and responsibilities related to information classification and protection.
  • Assist to design and conduct new risk assessments for the MTA and Agencies to ensure MTA IT assets are risk averse and mitigated when required.
  • Assist with the technical risk assessments, PCI/DSS such as vulnerability scanning, application risk assessment, network design review, penetration testing while assisting with third-party assessment.
  • Work in a team environment interacting with PCI QSA, business units and other security professionals to confirm findings, resolve misunderstandings resulting from the PCI risk assessment review analyze the QA test process and help develop procedural strategies for reviewing reports and services.
  • Coordinate information security and risk management projects with personnel from the IT organization, lines of business, and other internal departments and organizations.
  • Facilitate business alignment and communications by forming an IT risk management steering committee or advisory board.
  • Review risk assessments analyze the effectiveness of MTA's IT internal control activities and report on them - with actionable recommendations - to the Risk and Compliance officer, CISO and IT director and managers.
  • Follow up on deficiencies identified in monitoring reviews, self-assessments, automated assessments, and internal and external audits to ensure that appropriate remediation measures have been taken.

Level 4
  • Analyze all the risk-related activities of MTA's IT organization, planning, testing, reporting and recommending appropriate remediation measures.
  • Assist with the oversight and monitoring of risk mitigation and coordination of policy and controls with the compliance manager, director and the chief information security officer (CISO), to ensure that other managers and IT staff are taking effective remediation steps.
  • Benchmark the risk management practices of other companies - particularly those in transportation and state government to maintain an up-to-date understanding of industry best practices and monitor the legal and regulatory environment for developments that could require changes to MTA's established IT policies and practices.
  • Create, disseminate and (as required) update documentation of MTA's matrix of identified IT risks and controls.
  • Work directly with the business units and other internal departments and organizations to facilitate IT risk analysis and risk management processes, identify acceptable levels of residual risk, and establish roles and responsibilities related to information classification and protection.
  • Assist to design and conduct new risk assessments for the MTA and Agencies to ensure MTA IT assets are risk averse and mitigated when required.
  • Assist with the oversight of technical risk assessments, PCI/DSS such as vulnerability scanning, application risk assessment, network design review, penetration testing while assisting with third-party assessment.
  • Work in a team environment interacting with PCI QSA, business units and other security professionals to confirm findings, resolve misunderstandings resulting from the PCI risk assessment review analyze the QA test process and help develop procedural strategies for reviewing reports and services.
  • Coordinate information security and risk management projects with personnel from the IT organization, lines of business, and other internal departments and organizations.
  • Facilitate business alignment and communications by forming an IT risk management steering committee or advisory board.
  • Review risk assessments analyze the effectiveness of MTA's IT internal control activities and report on them - with actionable recommendations - to the Risk and Compliance officer, CISO and IT director and managers.
  • Follow up on deficiencies identified in monitoring reviews, self-assessments, automated assessments, and internal and external audits to ensure that appropriate remediation measures have been taken.

Level 5
  • Analyze all the risk-related activities of MTA's IT organization, planning, testing, reporting, and recommending appropriate remediation measures.
  • Work with small teams to manage short or long MTA wide projects. Ability to work with senior management of the MTA to report on issues related to IT security risks.
  • Oversight and monitoring of risk mitigation and coordination of policy and controls with the compliance manager, director, and the chief information security officer (CISO), to ensure that other managers and IT staff are taking effective remediation steps.
  • Benchmark the risk management practices of other companies - particularly those in transportation and state government to maintain an up-to-date understanding of industry best practices and monitor the legal and regulatory environment for developments that could require changes to MTA's established IT policies and practices.
  • Create, disseminate and (as required) update documentation of MTA's matrix of identified IT risks and controls.
  • Work directly with the business units and other internal departments and organizations to facilitate IT risk analysis and risk management processes, identify acceptable levels of residual risk, and establish roles and responsibilities related to information classification and protection.
  • Assist to design and conduct new risk assessments for the MTA and Agencies to ensure MTA IT assets are risk averse and mitigated when required.
  • Assist with the oversight of technical risk assessments, PCI/DSS such as vulnerability scanning, application risk assessment, network design review, penetration testing while assisting with third-party assessment.
  • Work in a team environment interacting with PCI QSA, business units and other security professionals to confirm findings, resolve misunderstandings resulting from the PCI risk assessment review analyze the QA test process and help develop procedural strategies for reviewing reports and services.
  • Coordinate information security and risk management projects with personnel from the IT organization, lines of business, and other internal departments and organizations.
  • Facilitate business alignment and communications by forming an IT risk management steering committee or advisory board.
  • Review risk assessments analyze the effectiveness of MTA's IT internal control activities and report on them - with actionable recommendations - to the Risk and Compliance officer, CISO and IT director and managers.
  • Follow up on deficiencies identified in monitoring reviews, self-assessments, automated assessments, and internal and external audits to ensure that appropriate remediation measures have been taken.
Qualifications

Level 3
  • Good leadership skills.
  • Good troubleshooting and problem-solving skills.
  • Strong technical and analytical abilities.
  • Strong oral and written communication skills
  • Well-organized and highly motivated.
  • Must be able to move and lift to 25 lbs. of equipment such as monitors, keyboards, CPU's, laptops, firewalls, etc.
  • Must possess a valid driver's license.

Level 4
  • Good leadership skills.
  • Good troubleshooting and problem solving skills.
  • Strong technical and analytical abilities.
  • Strong oral and written communication skills.
  • Well-organized and highly motivated.
  • Knowledge of industry best practices.
  • Proficiency in ISO, CSA, NIST, COBIT and other industry frameworks
  • Demonstrated experience to lead small teams for a short- or long-term projects.
  • Expert level knowledge of Governance, Risk and Compliance tools
  • Knowledge of secure coding techniques along with application security assessment tools.

Level 5
  • Strong leadership skills.
  • Strong troubleshooting and problem-solving skills.
  • Strong technical and analytical abilities.
  • Strong ability to motivate and develop personnel.
  • Represent the Risk & Compliance Manager in their absence.
  • Experienced in interacting with all levels of the organization.
  • Ability to lead highly technical personnel.
  • Well-organized and highly motivated.
  • Knowledge of industry best practices.
  • Proficiency in ISO, NIST, COBIT and other industry frameworks.
  • Proficient in the use of risk assessment tools.
  • Demonstrated experience to lead small teams for a short- or long-term projects.
  • Expert level knowledge of Governance, Risk and Compliance tools
  • Knowledge of secure coding techniques along with application security assessment tools.
  • Knowledge of programming languages such as Python, Java, JavaScript, etc. strongly preferred.
Education and Experience

Level 3
  • A Bachelor's degree in Computer Science, Business Administration, Engineering, Finance, and Information Services (or the equivalent of education and progressive responsible experience) plus a minimum of 3 - 4 year of Information Technology experience with minimum of 2 years of risk and compliance related experience.
  • Knowledge and experience of a broad range of policy, standards, and common risk management methodologies - for example, COSO, ISO 27001,PCI/DSS, COBIT, ITIL, ISO 2000, etc.

Level 4
  • A Bachelor's degree in Computer Science, Business Administration, Engineering, Finance, and Information Services (or the equivalent of education and progressive responsible experience) plus a minimum of 6 year of Information Technology experience of which 3 must be in the risk and compliance area.
  • Knowledge and experience of a broad range of policy, standards, and common risk management methodologies - for example, COSO, ISO 27001, PCI/DSS, COBIT, ITIL, ISO 2000, etc.
  • IT Security Certifications (CISSP, CISA, SANS, etc) are a plus

Level 5
  • A Bachelor's degree in Computer Science, Business Administration, Engineering, Finance, and Information Services (or the equivalent of education and progressive responsible experience) plus a minimum of 8 year of Information Technology experience with a minimum of 4 years of experience in the application security along with risk and compliance.
  • Knowledge and experience of a broad range of policy, standards and common risk management methodologies - for example, COSO, ISO 27001, PCI/DSS, COBIT, ITIL, ISO 2000, etc.
  • IT Security Certifications (CISSP, CISA, SANS, etc.) are a plus
Other Information

As an employee of MTA Headquarters you may be required to complete an annual financial disclosure statement with the State of New York, if your position earns more than $101,379 (this figure is subject to change) per year or if the position is designated as a policy maker.

How To Apply

Qualified applicants can submit an online application by clicking on the 'APPLY NOW' button from either the CAREERS page or from the JOB DESCRIPTION page.

If you have previously applied on line for other positions, enter your User Name and Password. If it is your first registration, click on the CLICK HERE TO REGISTER hyperlink and enter a User Name and Password; then click on the REGISTER button.

Equal Employment Opportunity

MTA and its subsidiary and affiliated agencies are Equal Opportunity Employers, including with respect to veteran status and individuals with disabilities.

The MTA encourages qualified applicants from diverse backgrounds, experiences, and abilities, including military service members, to apply.

Apply Now Subscribe Report job